You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Reported in version: HG 1.2 Reported for operating system, platform: Linux, x86_64
Comments on the original bug report:
On 2019-02-07 13:46:27 +0000, Radue wrote:
PoC
A heap buffer overflow vulnerability was discovered in SDL-1.2.15 library.
Asan output:
=================================================================
==25760==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f02111c5080 at pc 0x7f0216173b6a bp 0x7ffe2d19de10 sp 0x7ffe2d19de08
WRITE of size 4 at 0x7f02111c5080 thread T0
# 0 0x7f0216173b69 in SDL_FillRect /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/video/SDL_surface.c:610:5
# 1 0x7f0216178d3d in SDL_ClearSurface /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/video/SDL_video.c:507:2
# 2 0x7f0216178d3d in SDL_SetVideoMode /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/video/SDL_video.c:729
# 3 0x4dcf68 in CreateScreen /home/radu/apps/sdl_player_lib/SDL-1.2.15/test/graywin.c:112:11
# 4 0x4dd9d5 in main /home/radu/apps/sdl_player_lib/SDL-1.2.15/test/graywin.c:192:11
# 5 0x7f0214e4e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
# 6 0x435588 in _start (/home/radu/apps/sdl_player_lib/SDL-1.2.15/test/graywin+0x435588)
0x7f02111c5080 is located 0 bytes to the right of 31455360-byte region [0x7f020f3c5800,0x7f02111c5080)
allocated by thread T0 here:
# 0 0x4bc552 in malloc (/home/radu/apps/sdl_player_lib/SDL-1.2.15/test/graywin+0x4bc552)
# 1 0x7f02161ada7c in X11_SetupImage /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/video/x11/SDL_x11image.c:105:20
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/video/SDL_surface.c:610 SDL_FillRect
Shadow bytes around the buggy address:
0x0fe0c22309c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe0c22309d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe0c22309e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe0c22309f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe0c2230a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe0c2230a10:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe0c2230a20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe0c2230a30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe0c2230a40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe0c2230a50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe0c2230a60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==25760==ABORTING
Reproducing steps:
Download SDL-1.2.15 library
./configure with Asan enabled
./make
sudo make install
cd examples
./configure with Asan enabled
make
cd test
./graywin -width 21312312313123213213213
On 2019-02-10 14:58:42 +0000, Radue wrote:
Assigned CVE-2019-7637 by MITRE.
On 2019-02-18 11:13:55 +0000, Petr Pisar wrote:
Width value from "./graywin -width 21312312313123213213213" command is misinterpreted (atoi()) as -1 and then passed as Uint16 argument to CreateScreen() function. Since then the width has value 65535 and travels to SDL_CalculatePitch() where width (65535) is multiplied by BytesPerPixel (4) and the result is stored into Uint16 pitch. Here is the root cause because the pitch is clamped as 65532. As a result SDL_Surface with a pitch smaller than width * BytesPerPixel is created, too small pixel buffer is allocated and when the SDL_Surface is processed in SDL_FillRect a buffer overflow occurs.
This bug report was migrated from our old Bugzilla tracker.
These attachments are available in the static archive:
Reported in version: HG 1.2
Reported for operating system, platform: Linux, x86_64
Comments on the original bug report:
On 2019-02-07 13:46:27 +0000, Radue wrote:
On 2019-02-10 14:58:42 +0000, Radue wrote:
On 2019-02-18 11:13:55 +0000, Petr Pisar wrote:
On 2019-02-18 13:19:39 +0000, Petr Pisar wrote:
On 2019-03-17 02:17:42 +0000, Sam Lantinga wrote:
On 2019-06-27 23:11:34 +0000, Anselmo L. S. Melo wrote:
On 2019-07-01 06:41:52 +0000, Sam Lantinga wrote:
On 2019-08-01 21:36:39 +0000, Ozkan Sezer wrote:
The text was updated successfully, but these errors were encountered: